Zero Science Lab

The CTM-200 wireless gateway suffers from an authenticated semi-blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to the wget command in /usr/bin/cmdmain ELF binary.

The application suffers from a privilege escalation vulnerability. A normal user (group USER, 0) can elevate her privileges by sending a HTTP POST request and setting the JSON parameter 'privilege' to integer value '1' gaining administrative rights (group ADMINISTRATOR, 1).

Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages.

The application has a hidden administrative account 'cmuser' that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application.

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

The application is vulnerable to unauthenticated configuration disclosure when direct object reference is made to the backup archive file using an HTTP GET request. The only unknown part of the filename is the hostname of the system. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.

The BAS controller stores sensitive data (backup exports) in clear-text.

The BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access the hidden resources in the system and execute privileged functionalities.

The BAS controller suffers from an arbitrary file deletion vulnerability. Using the 'cfile' GET parameter in fmanerdel, attackers can delete arbitrary files on the affected device and cause denial of service scenario.

The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.